cds-design-to-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to call the Figma MCP server (get_design_context, get_screenshot, get_metadata) and download assets from arbitrary Figma URLs (see SKILL.md Steps 2–4), and then to interpret that untrusted, user-generated design content to drive component selection and code-generation decisions—therefore it ingests third-party content that can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires and at runtime fetches user-provided Figma node URLs (e.g. https://figma.com/design/:fileKey/:fileName?node-id=...) via the Figma MCP server (get_design_context/get_screenshot) and injects that fetched design/CodeConnect snippet content into the agent context to drive implementation, so the external Figma URL directly controls prompts/results.